escaping/sanitizing plugin output in nagios web interfaces

David Schlecht dgsconsulting at gmail.com
Tue Apr 3 16:22:05 CEST 2007


On 4/2/07, sean finney <seanius at seanius.net> wrote:
>
> hey ethan et al,
>
> someone raised a bug in the debian bts:
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416814
>
> basically bringing to light the fact that the output from various
> plugins is placed verbatim into web page output.  the theoretical
> problem with this is that some remote host could place XSS code in the
> output, making it possible to hijack/co-opt the nagios admin's web
> browser to do naughty things.
>
>
This same bug exists in config.c when displaying arguments TO the plugins.

-David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-lists.org/archive/developers/attachments/20070403/cb178266/attachment.html>
-------------- next part --------------
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
-------------- next part --------------
_______________________________________________
Nagios-devel mailing list
Nagios-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-devel


More information about the Developers mailing list